Ian,
Ian Grigg wrote:
Julien Pierre wrote:
On the other hand, for someone to send you a signed e-mail, they have to obtain their own certificate from a CA, and agree with their terms of service, and the CA has the ability to revoke the certificate if those terms are broken. Therefore, using digital signatures for spam filtering makes sense, but using encryption does not.
I think the main advantage is that your whitelist can be assured that it is a known sender, due to the caching of the cert. If it is a CA-signed cert or not seems irrelevant, as a spammer can send out a squillion messages well before a CA signs up and decides to dust of the revocation software.
Any CAs around who'd like to comment on how long it might take to revoke a cert?
You would have to make a careful choice of which CAs you want to use if you were to implement such a PKI-based spam filtering policy . The policy could be set not only by the end user in his e-mail client, but also by an ISP at the SMTP agent level, who could verify signatures and only deliver valid signed emails to a non-spam whitelisted folder.
BTW, about 2 years ago, when I worked for AOL, I wrote a paper on this very topic - spam filtering with x.509 certificates and S/MIME digital signatures. Nobody ever cared about the idea, even as spam messages started costing millions of dollars to businesses everywhere. It was probably ahead of its time, but I still hope to see it implemented in some form someday. I'm sick of changing e-mail address every few months.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
